Bill C-27

I think there will always be differences of opinions as to whether definitions are sufficiently stringent or overly weak.

What would address our concerns? There are three categories of concerns that we have around de-identified and anonymized information. The first is that the definition has been weakened between Bill C-11 and the current iteration, Bill C-27. In the past definition, it included indirect identifiers. You can identify me by my name, but you can also identify me if you have a combination of my postal code, my gender and a few other factors about me. To truly de-identify information to an adequate standard where re-identification is unlikely, I believe—and my co-submitters believe—that the definition should include indirect identifiers.

To some degree, that definition has been weakened because Bill C-27 includes the addition of a new category of information: anonymized information. The problem with that new category is that technically people agree that it's extremely difficult to achieve perfect and effective anonymized information, and by taking anonymized information out of the scope of the bill, what we do is remove it from the ability of the Office of the Privacy Commissioner of Canada to inspect the processing that has happened to ensure that it has been done to a reasonable standard.

Like some of the witnesses you heard from—who would disagree with me about whether or not definitions should be stronger or weaker—I think we all agree on the reality that when personal information is processed, whether it is used to create de-identified information or anonymized information, there should be some checks and balances to make sure that the companies doing it are doing it to a reasonable standard that is broadly accepted. The way to achieve that is by including the ability within the bill for the Office of the Privacy Commissioner to inspect that processing and give it a passing grade, should that be necessary.

The last piece of concern we have with anonymization, which makes that scrutiny even more important, is that the bill conflates anonymization with deletion. It was introduced to great fanfare when this bill was put forward that individuals would now have a right to request deletion of their personal information from the companies with which they deal.

That right, I believe, is rendered moderately illusory. Certainly members of the public would not expect that if they ask for their information to be deleted, an organization could say, yes, they'll do that, and then simply anonymize the information and continue to use it for their own purposes. If we are going to allow anonymized information to be equivalent to deletion, again, it's incredibly important that we are 100% certain that the equivalency is real and valid, that truly no individual can be identified from that information and that it's not going to harm them in its use after they've explicitly exercised their right to ask for deletion.

Thank you.

I have concerns about both the CPPA and the AIDA. Many of these have been communicated in my own writings and in the report submitted to this committee by the Centre for Digital Rights. My comments today focus on the consumer privacy protection act. I note, however, that I have very substantial concerns about the AI and data act, and I would be happy to answer questions on that, as well.

Let me begin by stating that I am generally supportive of the recommendations of Commissioner Dufresne for the amendment of Bill C‑27, as set out in his letter of April 26, 2023 to the chair of this committee.

I will address three other points.

The minister has chosen to retain consent as the backbone of the CPPA, with specific exceptions to consent. One of the most significant of these is the “legitimate interest” exception in proposed subsection 18(3). This allows organizations to collect or use personal information without knowledge or consent if it is for an activity in which an organization has a legitimate interest. There are guardrails: The interest must outweigh any adverse effects on the individual; it must be one that a reasonable person would expect; and the information must not be collected or used to influence the behaviour or decisions of the individual. There are also additional documentation and mitigation requirements.

The problem lies in the continuing presence of “implied consent” in proposed subsection 15(5) of the CPPA. PIPEDA allowed for implied consent because there were circumstances where it made sense and there was no legitimate interest exception. However, in the CPPA, the legitimate interest exception does the work of implied consent. Leaving implied consent in the legislation provides a way to get around the guardrails in proposed subsection 18(3). An organization can opt for the implied consent route instead of legitimate interest. It will create confusion for organizations that might struggle to understand which is the appropriate approach. The solution is simple: Get rid of implied consent. I note that implied consent is not a basis for processing under the GDPR. Consent must be expressed, or processing must fall under another permitted ground.

My second point relates to proposed section 39 of the CPPA: an exception to an individual's knowledge and consent where information is disclosed to a potentially very broad range of entities for “socially beneficial purposes”. Such information need only be de-identified—not anonymized—making it more vulnerable to re-identification. I question whether there is social licence for sharing de-identified rather than anonymized data for these purposes. I note that proposed section 39 was carried over verbatim from Bill C-11, when “de-identified” was defined to mean what we now understand as anonymized. Permitting disclosure for socially beneficial purposes is a useful idea, but proposed section 39, especially with the shift in meaning of “de-identified”, lacks necessary safeguards.

First, there is no obvious transparency requirement. If we are to learn anything from the ETHI committee's inquiry into PHAC's use of Canadians' mobility data, transparency is fundamentally important. At the very least, there should be a requirement that written notice of data sharing for socially beneficial purposes be given to the Privacy Commissioner of Canada. Ideally, there should also be a requirement for public notice. Further, proposed section 39 should provide that any sharing be subject to a data-sharing agreement, which should also be provided to the Privacy Commissioner. None of this is too much to ask where Canadians' data are conscripted for public purposes. Failure to ensure transparency and a basic measure of oversight will undermine trust and legitimacy.

My third point relates to the exception to knowledge and consent for publicly available personal information. Bill C-27 reproduces PIPEDA's provision on publicly available personal information, providing in proposed section 51 that “An organization may collect, use or disclose an individual's personal information without their knowledge or consent if the personal information is publicly available and is specified by the regulations.” We have seen the consequences of data scraping from social media platforms in the case of Clearview AI, which used scraped photographs to build a massive facial recognition database. The Privacy Commissioner takes the position that personal information on social media platforms does not fall within the “publicly available personal information” exception.

Not only could this approach be upended in the future by the new personal information and data protection tribunal, but it could also easily be modified by new regulations. Recognizing the importance of proposed section 51, former Commissioner Therrien recommended amending it to add that the publicly available personal information be “such that the individual would have no reasonable expectation of privacy.” An alternative is to incorporate the text of the current regulations specifying publicly available information into the CPPA, revising them to clarify scope and application in our current data environment. I would be happy to provide some sample language.

This issue should not be left to regulations. The amount of publicly available personal information online is staggering, and it is easily susceptible to scraping and misuse. It should be clear and explicit in the law that personal data cannot be harvested from the Internet, except in limited circumstances set out in the statute.

Finally, I add my voice to those of so many others in saying that data protection obligations set out in the CPPA should apply to political parties. It is unacceptable that they do not.

Thank you.

Thank you, Mr. Chair and members of the committee, for inviting me here today to speak to the submission authored by Jane Bailey, professor at the faculty of law of the University of Ottawa; Jacquelyn Burkell, professor at the faculty of information and media studies at Western University; and myself, currently the acting executive director of the public policy and digital society program at McMaster University.

It is a privilege to appear before you on this omnibus bill, which needs significant improvement to protect people in the face of emerging data-hungry technologies.

I will focus on part 1 and very briefly on part 3 of the bill in these initial remarks, and I welcome questions on both.

Privacy, of course, is a fundamental underpinning of our democratic society, but it is also a gateway right that enables or reinforces other rights, including equality rights. Our written submission explicitly focuses on the connection between privacy and equality, because strong, effective privacy laws help prevent excessive and discriminatory uses of data.

We identified eight areas where the CPPA falls short. In these remarks, I will focus on four.

First of all, privacy must be recognized as a fundamental human right. Like others on this panel, while we welcome the amendment suggested by Minister Champagne, we would note that proposed section 12 in particular also requires amendment so that the analysis to determine whether information is collected or used for an appropriate purpose is grounded in that right.

Bill C-27 offers a significant improvement over PIPEDA in explicitly bringing de-identified information into the scope of the law, but it has diminished the definition from the predecessor law, Bill C-11, by removing the mention of indirect identifiers. The bill also introduces a new category, anonymized information, which is deemed out of the scope of the act, in contrast to the superior approach taken by Quebec. Given that even effective anonymization of personal data fails to address the concerns about social sorting that sit at the junction of privacy and equality, all data derived from personal information, whether identifiable, de-identified or anonymized, should be subject to proportionate oversight by the OPC, simply to ensure that it's done right.

Third, proposed subsection 12(4) weakens requirements for purpose specification. It allows information collected for one purpose by organizations to be used for something else simply by recording that new purpose any time after the initial collection. How often have you shared information with a business and then gone back a year later to see if it had changed its mind about how it's going to use it? At a minimum, the bill needs constraints that limit new uses to purposes consistent with the original consensual purpose.

Finally, the CPPA adds a series of exceptions to consent. I'll focus here on the worst, the legitimate interest exception in proposed subsection 18(3), which I differ from my colleagues in believing should be struck from the bill. It is a dangerously permissive exception that allows collection without knowledge or consent if the organization that wants the information decides its mere interest outweighs adverse impacts on an individual.

This essentially allows collections for organizational purposes that don't have to provide benefits to the customer. Keeping in mind that the CPPA is the bill that turns the tap for the AIDA on or off, this exception opens the tap and then takes away the handle. Here, I would commend to you the concerns of the Right2YourFace coalition, which flags this exception as one in which organizations may attempt to justify and hide their use of invasive facial recognition technology.

Turning to part 3 of Bill C-27, the AIDA received virtually no public consultation prior to being included in Bill C-27, and that lack of feedback has resulted in a bill that is fundamentally underdeveloped and prioritizes commercial over public interests. The bill, by focusing only on high-impact systems, leaves systems that fail to meet the threshold unregulated. AI can impact equality in nuanced ways not limited to systems that may be obviously high-impact, and we need an act that is flexible enough to also address bias in those systems in a proportionate manner.

A recommender system is mundane these days, yet it can affect whether we view the world with tolerance or prejudice from our filter bubble. Election time comes to mind as a time when that cumulative impact could change our society. Maybe that should be in, and maybe it should be out. We just haven't had the public conversation to work through the range of risks, and it's a disservice to Canadians that we're reduced to talking about amendments to a bad bill in the absence of a shared understanding of the full scope of what it needs to do and what it should not do.

Practically, in our submission, we nonetheless make specific recommendations in our brief to include law enforcement agencies in scope, to create independent oversight and to amend the definitions of harm and bias. We further support the recommendations submitted by the Women's Legal Education & Action Fund.

I would be very happy to address all of these recommendations during the question period.

Thank you.

Thank you, Mr. Chair and members of the committee. I am very honoured to be speaking with you today regarding Bill C-27.

I am currently a professor of law at the University of Colorado, but when I was the director of CIPPIC at the University of Ottawa, we published two reports in the spring of 2023 that consider AIDA and the CPPA. I am going to focus my remarks on the CPPA, particularly on provisions that relate to the privacy of minors. I would be happy to share some of my thoughts around AIDA as well.

I would like to begin by saying that I agree with everything that Professor Bennett and Professor Geist said. You could treat these remarks as additive.

While it is very welcome that the CPPA, unlike PIPEDA, specifically defines that the personal information of minors is sensitive information, Professor Bennett already told you about how “sensitive information” is not a defined term in the legislation. It is positive that children would have—if this bill passes into law—some recognition of the importance of protecting their personal information to a higher standard. However, we believe that this legislation can do far better.

For context, it is important to realize that children spend increasing amounts of time online, at younger and younger ages. This is a trend that accelerated during COVID-19 and the transition to digital online learning. I am a parent, and I am sure many of you are parents. Our children are using devices under commercial terms of service all the time, and this poses a very significant risk to the privacy rights of children.

While COVID has receded, it's the new reality that kids are using more and more technology at younger ages. What can we do? There are three things, and then a fourth about jurisdictional competence.

The Privacy Commissioner, in his recommendations regarding the CPPA, suggested that “best interests of the children” language should be incorporated into the law, and he suggested doing that in the preamble. I take no position myself as to where that should be done, but it is clear that this is international best practice. The United Kingdom and California have both incorporated such language into recently enacted statues, and we think that Canada should follow this approach. What would that mean? It means that organizations that handle children's personal data must take the best interests of children into account. That must come ahead of their commercial interests.

Second, we think it is important for the CPPA to require organizations that develop products or services that are likely to be accessed by children to set their privacy settings to the highest level. Defaults play a really important role in our subjective experience of privacy. It is great to have rights, but you can very easily leave those rights on the table if a setting is such that it contracts you out. We think that requiring a company to set those defaults to high levels when children are their likely users or their known users is very important.

Third, I'd like to pick up on what Professor Bennett told you about data protection impact assessments, a made-in-Canada idea. Bill C-27 is extremely weak when it comes to data protection impact assessments. The provisions apply only when the legitimate interest, excepting the consent, is being used. This is a problem for everyone, especially for children.

We believe—and I specifically believe this personally—that the data protection impact assessment requirements of this bill need to be considerably strengthened whenever data-processing activities pose a high risk to the privacy rights of Canadians. I would say that if children's data is sensitive data, that means we basically need to do that impact assessment all the time.

Last, I'd like to talk about constitutional competence here. There may be some concerns that it may be beyond federal competence to protect the privacy rights of children with more expansive provisions. Our analysis suggests otherwise. CPPA, like PIPEDA before it, is being enacted under Parliament's power to regulate trade and commerce.

Now, it is true that in our federal system, provincial governments get to determine the age of majority, but there is plenty of federal legislation that is designed to protect the rights of children. This also leads to how we think of this law, the consumer privacy protection act. It's not just a form of privacy regulation; it's also, when you think about it, a form of consumer protection legislation that is regulating the safety of digital products that invade and interfere with our right to privacy.

In view of the long history of federal regulation directed at protecting children in the marketplace, we think it would be appropriate for the federal government to include stronger privacy protections, and that would not prejudice provincial laws, like Quebec's, that are stronger. Just as PIPEDA yields to provincial legislation when it's substantially equivalent or better, the same could be true of strengthened children's privacy protections in the new CPPA.

Thank you very much.

Thank you very much, Mr. Chair.

I'm from the University of Victoria, although I'm currently in Australia. I wish everybody a good day.

I would like to emphasize five specific areas for reform of the CPPA and to suggest ways in which the bill might be brought into better alignment with Quebec's law 25. I don't think that Bill C-27 should be allowed to undermine Quebec law, and in some respects, it does. I also think these are some of the areas where the bill will be vulnerable when the European Commission comes to evaluate whether Canadian law continues to provide an adequate level of protection.

Some of these recommendations are taken from the report that you have from the Centre for Digital Rights, which I'd like to commend to you.

First, I believe that CPPA's proposed section 15, on consent, is confusing to both consumers and businesses. In particular, I question the continued reliance on “implied consent” in proposed subsection 15(5), which states, “Consent must be expressly obtained unless...it is appropriate to rely on an individual's implied consent”.

The bill enumerates those business activities for which consent is not required, including if “the organization has a legitimate interest that outweighs any potential adverse effect on the individual”. That's a standard that has been imported from the GDPR. However, in the GDPR, “consent” means express consent; it's “freely given, specific, informed and unambiguous”.

In the current version of the CPPA, businesses can have it both ways. They can declare that they have implied consent because of some inaction that a consumer allegedly took in the past because of not reading the legalese in a complex terms-of-service agreement, or they can assert a “legitimate interest” in the personal data by claiming that there is no “potential adverse effect on the individual”. That is a risk assessment performed by the company rather than a judgment made about the human rights of individuals to control their personal information.

In that respect, it's really important that the bill be brought within a human rights framework. There should be no room for implied consent in this legislation. It's a dated idea that creates confusion for both consumers and businesses.

Second, there is no section in the CPPA on international data transfers. I find that very odd. I know of no other modern privacy law that fails to give businesses proper guidance on what they have to do if they want to process personal data offshore. The only requirement is for the organization to require the service provider, “by contract or otherwise,” to ensure “a level of protection of the personal information equivalent to that which the organization is required to provide under this Act.” That's proposed subsection 11(1) of the CPPA.

That due diligence applies whether the business is transferring personal data to another province in Canada or overseas to a country that may or may not have strong privacy protection or, indeed, a record of the protection of human rights. That's particularly troubling because of proposed section 19 of the CPPA, which reads, “An organization may transfer an individual's personal information to a service provider without their knowledge or consent.”

The Canadian government has never gotten into the business of adopting a safe harbour approach or a white list, and I'm not recommending that. However, Quebec, I believe, has legislated an appropriate compromise under section 17 of law 25, which requires businesses to do an assessment, including of the legal framework, when sending personal data outside of Quebec. As many businesses will have to comply with the Quebec legislation, why not mirror that provision in Bill C-27?

Third, the bill ignores important accountability mechanisms that were pioneered in Canada and exported to other jurisdictions, including Europe. Therefore, it's very strange that those same measures do not appear in the CPPA. In particular, privacy impact assessments are an established instrument and a critical component of accountable personal data governance, and they should be required in advance of product or service development, particularly where invasive technologies and business models are being applied, where minors are involved, where sensitive personal information is being collected, or where the processing is likely to result in a high risk to an individual's rights and freedoms. Businesses do the PIAs, and they stand ready to demonstrate their compliance or their accountability to the regulator.

A fourth and related problem is the absence of any definition of sensitive forms of personal data. The word “sensitivity” appears throughout the legislation in several provisions of the bill, but with the exception of the specification about data on minors, it is nowhere defined. In my view, the bill should define what “sensitive information” means, and it should also enumerate a non-exhaustive list of categories, which, in fact, occurs in many forms of legislation.

Finally—I know you've heard about this in the past, and I've researched on this—the absence of proper privacy standards for federal political parties is unjustifiable and untenable. The government is relying on the argument that the FPPs’ privacy practices are regulated under the Elections Act, but those provisions are nowhere near as strong as in Bill C-27. I think businesses resent the fact that parties are exempted. This is not an issue that will go away, given advances in technology and its use in modern digital campaigning. Canada is one of the few countries in the world in which political parties are not covered by applicable privacy law.

Thank you so much.

Indeed.

This raises the whole question of online age verification and techniques for determining whether a person is underage or not. This will be important in the context of Bill C‑27, which explicitly grants rights and treats information differently. It's an issue we're looking at, in the privacy field. There's a lot of discussion about it. In fact, the Information Commissioner's Office of the U.K. has issued guidelines on verification tools.

What we're saying, at the Office of the Privacy Commissioner, is that these tools need to be appropriate and not ask for too much personal information. Age verification needs to be managed, but we don't necessarily want to ask for too much personal information to do that. That said, there are ways of doing it and technologies to do it. It's another area where we need to be creative.

Also, it has to be context-appropriate. Some sites may be higher-risk and will require tighter verification. We can think of gambling or pornography sites, for example. Some sites may be less sensitive. Others may be aimed specifically at children. There may be a presumption.

I think this will be part of the implementation of this law. My office will have a role to play in this as it can issue guidelines.

In addition, the bill also provides for the creation of codes of practice and certification programs.

This will encourage organizations to adhere to a series of rules. If they respect them, it will have an effect on the complaints process, which will be beneficial for these organizations. So it will be one more tool. I suspect that the Office of the Privacy Commissioner will be able to work on it, precisely to give these details.

The Office of the Privacy Commissioner also has an advisory mandate. Companies, especially small and medium-sized enterprises, can contact us for answers to specific questions. We're here to help them with questions like these, especially those of a more technical nature.

Yes, a revision of the two laws is necessary. One is under way for the law in the private sector. This is Bill C‑27. This also includes a specific component for artificial intelligence.

A revision is necessary because the law is 20 years old. It's older than social media. We're still applying it, the principles are there, but technology is advancing rapidly. In my opinion, this calls for stronger proactive obligations, for example. We need to force organizations to make basic assessments that they have to disclose to our office; we also need to impose greater transparency, particularly when it comes to artificial intelligence.

The law governing the public sector, on the other hand, is even older. It dates back 40 years. It needs to be modernized and strengthened, because when it was passed, it was really at a time when the impact of data was not what it is today.

It's a problem for kids because of their greater vulnerability. We've made a number of recommendations in terms of making sure that we're not using these behavioural techniques of nudging. We shouldn't be nudging individuals generally, but certainly not children, into making bad decisions and making bad privacy decisions. There needs to be work on that.

There have been reports on social media being addictive and being addictive for children generally. Sometimes the business model is to try to encourage them to stay longer, because that's what generates more revenues. That has to be taken into consideration with children who have been online more and more during the pandemic, and since then with school. I've seen it and parents have seen it.

We need to adjust to this new reality as parents, children and society as a whole, so that there's a greater awareness of what this means and what their rights are.

Bill C-27 proposes a right to disposal. That's informing.... When I say that children have a right to be children, that's what I'm alluding to. Children do things online. If it stays online forever, then they're treated as adults right from when they're teenagers. It stays forever, and it could be used against them for jobs and so on and so forth.

We need to deal with this. Bill C-27 will deal with it to some extent, but we certainly need to build greater awareness of it as we are living more and more in a digital world. It brings innovation and it brings great things, but we need to be well equipped to deal with it and we need to learn about it. I would hope to see mandatory training in schools early on, so that individuals can get the tools early on.

We'll get these reflexes. We're going to ask questions. We're going to ask why they need this information. We're going to learn to see what a good privacy policy is, and if it's not, we're going to learn how to complain about it so that it could become a good privacy policy in the future.

That way, we're creating ambassadors for privacy everywhere.

That's why the European model, which is the General Data Protection Regulation, the model in Quebec, which is Bill 25, and the model proposed in Bill C‑27 provide that it's going to be a maximum amount of $10 million, for example, or 3% of sales. I think that addresses the issue you raised.

If a company has significant sales, $10 million isn't a lot; setting a percentage addresses that.

Again, in terms of meaningful consent, Bill C-27 would make it stronger in terms of explicitly saying that this has to be provided in information that the person can understand. That's what we look at. This is very complex information. How are you giving those notices? Are you giving a notice that only an expert will understand?

Even if you're an expert, you may be reviewing this at the end of the day. You may be tired. You may be bombarded with so many things. Every time you go on a website, you get a cookie page or whatnot. We provide a number of tips in that guidance: Make it user-friendly. Make it not just a one-time thing. Make sure that you sometimes provide follow-ups. Make it as understandable as possible. In the context of children, make it appropriate to the child. Maybe there are opportunities for video or other ways.

The goal is to provide the information so that individuals can understand what's going on and to bring that same innovation.... We often talk about innovation requiring data, and that's true, but let's use innovation to protect data. That would assist in terms of the consent and the explainability.

There are extra issues, in the sense that we will generally consider minors' information or children's information to be “sensitive information”. That brings with it greater obligations in terms of care and in terms of methods of consent.

We've issued guidance under current law about obtaining meaningful consent. We are expecting organizations to make it user-friendly and so on, but specifically with respect to children, there are circumstances in which they won't be able to give that consent. They may need a parent to do that if they're below a certain age. In our current guidance, although certain provinces might take different views, for us, if they're under13 years old, there's almost a presumption that you need that parental consent.

It certainly has to be considered in how you look at information. They will have different needs. They will have greater vulnerabilities. That is something that's recognized in the European legislation. It's proposed to be recognized in Bill C-27, which I certainly hope will happen.

Thank you, Mr. Chair.

I'm pleased to now turn to this part of the discussion. I thank the committee for its interest in the ways that social media platforms such as TikTok harvest, handle and share personal information.

The online world brings with it a host of possibilities for innovation and connection, but it also carries potential for significant harm, especially for young people.

As you know, my office, along with our counterparts in Quebec, British Columbia and Alberta, launched an investigation into TikTok in February. We are examining whether TikTok's practices comply with Canadian privacy legislation, and in particular whether it obtains valid and meaningful consent for the collection, use and disclosure of personal information.

We are also looking at whether a reasonable person would consider the purposes for which it handles personal information, in particular children's information, to be appropriate in the circumstances.

This matter is a high priority for my office, especially given the importance of protecting the fundamental right to privacy of young people, who represent a notable proportion of TikTok users. As a result of the ongoing investigation, there are limits to my ability to speak publicly about the company’s practices at the moment.

For that reason, I will focus my remarks today on the privacy principles that underpin my office’s approach to the digital world from the perspective of the privacy rights of children.

Growing up in the digital age presents significant new challenges for the privacy of young people. As children and youth embrace new technologies and experience much of their lives online, we need strong safeguards to protect their personal information, and how it may be collected, used and disclosed. Increasingly, their information is being used to create personalized content and advertising profiles that are ultimately aimed at influencing their behaviours.

Children have a right to be children, even in the digital world. As UNICEF notes in its policy guidance on artificial intelligence for children, young people are affected by digital technologies to a greater extent than adults. Young people are also less able to understand and appreciate the long-term implications of consenting to their data collection. Privacy laws should recognize the rights of the child and the right to be a child. This means interpreting the privacy provisions in the legislation in a way that is consistent with the best interests of the child.

I'm encouraged by statements from the Minister of Innovation, Science and Industry indicating that there is a desire to strengthen children's privacy rights in Bill C-27, the Digital Charter Implementation Act, 2022. My office has recommended that the preamble of the modernized federal privacy law should recognize that the processing of personal data should respect children's privacy and the best interests of the child. I believe that this would encourage organizations to build privacy for children into their products and services by design and by default. I was pleased to hear the minister signalling his agreement with that recommendation.

The law must have strong safeguards to protect children’s information from unauthorized access, and reflect greater consideration of the appropriateness of collecting, using and disclosing their information.

Earlier this month, my provincial and territorial colleagues and I adopted a resolution calling on organizations in the private and public sectors to put the best interests of young people first by, among other things, providing privacy tools and consent mechanisms that are appropriate for young people and their maturity level; rejecting the kind of deceptive practices that influence young people to make poor privacy decisions or to engage in harmful behaviours; and allowing for the deletion and de‑indexing of information that was collected when users were children.

I am happy to see this was included in Bill C‑27.

In closing, it's critical that government and organizations take action to ensure that young people can benefit from technology and be active online without the risk of being targeted, manipulated or harmed as a result. I expect that the findings from our investigation into TikTok will be informative not just for that company but also for other organizations that collect and handle children’s sensitive personal information.

I also look forward to seeing Bill C-27 progress through the legislative process in a way that will provide children and minors with the privacy protections that they need in this increasingly digital world.

With that, I will be happy to take your questions.